It looks like they’ve done some more digging, as an emailed statement to the New York Times indicated that, “unbeknownst to the hotel, the Internet service provider (ISP) was utilizing functionality that allowed advertising to be pushed to the end user. The ISP has assured the hotel that this functionality has now been disabled.”

We spoke also with Justin Watt, the guest who noticed the issue, who says that he received the same email press statement shared with the public.

“I feel like their response could have been more transparent and information dense,” he wrote in an email to Gadling today, and indicates that he updated his original blog post to state the following:

What bugs me about their response is that the device required to do this type of on-the-fly JavaScript injection of HTML is both rare and expensive. It requires specialized hardware (like the RG Nets’ RXG-A8) starting at a cost of $10,000. In other words, this hardware was procured precisely for the purpose of perpetrating this kind of attack… the optimal solution to this snafu wasn’t simply that “we’ve disabled the functionality”-it has to be “we’ve removed/replaced the offensive hardware”. Nothing less is sufficient. Otherwise, what’s to stop someone from accidentally (or otherwise) re-enabling it later?

Marriott has assured users that “at no time was data security ever at risk,” but the question is, should they be more transparent in sharing their fixes to the issue?